Skip to main content
Version: 8.2405.x.x RR

Attack prevention strategies by mod_qos

This chapter defines prevention measures against attacks on nevisProxy. All measures are based on the mod_qos optional Apache module.

The two main attack types are the denial of service and the brute force attack. A denial of service attack (DoS attack) attempts to make a web application unavailable to its intended users. This is provoked by consuming resources on the nevisProxy. The following two resources must be protected against such attacks:

  • TCP connections used for server HTTP requests;
  • Memory used for the session store.

Brute force attacks are repetitive attempts to either find a flaw within a web application or to find out a user's password by guess. It is recommended that you limit the number of invalid requests on a per IP basis to prohibit such kind of attacks, see the section Repeat offender.

Note that the following directives and values are only pointers and valid for basic use cases. For the most efficient prevention, you need to align these directives/values with the actual configuration of your nevisProxy and its environment. This pertains, for example, to the Apache directive MaxClients, which defines the number of simultaneously processed connections, or the resources of the host machine. For more information on the mod_qos directives, check the official documentation of mod_qos, which you find here.

Basic configuration

The basic prevention configuration is enabled by default by an ApacheConfigFilter in the template web.xml file, see the next code block. This configuration is suitable for most use cases.

Basic configuration

<filter>
    <filter-name>QosProtectionFilter</filter-name>
    <filter-class>ch:nevis:navajo:apglue:httpd_2_4_x:servlet:ApacheConfigFilter</filter-class>
    <init-param>
        <param-name>ServerConfig</param-name>
        <param-value>
            QS_SrvMaxConnClose 85%
            QS_SrvMaxConnPerIP 75 500
            QS_SrvMinDataRate 120 1500 500
        </param-value>
    </init-param>
</filter>

This configuration features the following prevention techniques:

  • The attribute SrvMaxConnClose defines the maximum number of connections that support keep-alive. If the number of concurrent connections exceeds this threshold, the TCP connection is disconnected after each request. The number of connections is defined as a percentage of the MaxClients setting. The recommended value is 85% of the maximal available connections that use keep-alive.
  • The attribute SrvMaxConnPerIP limits the number of connections that can be opened by a single IP address. The limitation is only enabled if the number of connections reaches the second parameter, 500 in this case.
  • The attribute SrvMinDataRate defines the minimum upload/download throughput that a client must generate (that is, the bytes sent/received by the client per seconds). This bandwidth is measured while receiving request data (request line, header fields, or body). The client connection is disconnected if the client does not fulfill this required minimal data rate. The required minimal throughput is increased in relation to the number of concurrent clients sending/receiving data. This prevents DoS attacks from "slow" clients jamming TCP connections. The recommended values are 120 bytes/sec if 500 connections are used and 1500 bytes/sec if the server is busy (no free connections).

If you decide to use HTTP/2, you should only use the request level control directives as mod_qos works for the hypertext transfer protocol version 1.0 and 1.1 (RFC1945/RFC2616) only. For more information, see the official mod_qos documentation.

Extra prevention measures

You can further increase DoS resistance against excessive session creation by ensuring that your client accepts cookies before creating a session. This can be achieved by setting a dedicated cookie to verify that the client returns this cookie before letting them access any application. For more information, see the mod_qos documentation, section QS_UserTrackingCookieName".

Repeat offender

If an IP sends too many requests that result in responses with status code 400 or above, you can assume that the client attempts to flood the proxy or carries out a DoS attack. An effective protection against such attacks is the so-called repeat offender. The repeat offender helps to automatically block, for a certain period of time, client IP addresses that violate a rule multiple times or cause many errors. You can configure such a repeat offender with the help of mod_qos directives. For more information, see the mod_qos documentation, section Repeat offender".

To configure this protection, set the following directives for an ApacheConfigFilter:

Repeat offender configuration

# block clients violating some basic rules frequently (don't allows more than 20 violations within 5 minutes):
QS_ClientEventBlockCount 20 300
QS_SetEnvIfStatus        400                QS_Block
QS_SetEnvIfStatus        405                QS_Block
QS_SetEnvIfStatus        406                QS_Block
QS_SetEnvIfStatus        408                QS_Block
QS_SetEnvIfStatus        413                QS_Block
QS_SetEnvIfStatus        414                QS_Block
QS_SetEnvIfStatus        500                QS_Block
QS_SetEnvIfStatus        QS_SrvMinDataRate  QS_Block
QS_SetEnvIfStatus        QS_SrvMaxConnPerIP QS_Block
QS_SetEnvIfStatus        BrokenConnection   QS_Block
QS_SetEnvIfStatus        NullConnection     QS_Block

If an IP reaches the violation limit, nevisProxy rejects all incoming TCP connections from that address until the limitation expires. If the rule is violated, the mod_qos module redirects the request to the path defined with the QS_ErrorPage directive. A similar error message will be traced in the Navajo log file:

2020 08 07 12:27:55.315 4.2.0.0rc0 Apache     110679.139792602695424 3-ERROR :  mod_qos(060): access denied, QS_ClientEventBlockCount rule: max=20, current=20, age=4, c=192.168.37.163, id=cQ3ZDkesBQCXGCSjBQAAAAAHbQDkKy16 [APAC-0005]

Limiting authentication events

You can limit the number of unsuccessful login attempts (or of any other event) with the following configuration settings:

QS_ClientEventLimitCount 20 120 AU04_Limit
QS_SetEnvRes             Event AU04 AU04_Limit

The above settings limit the number of unsuccessful login attempts coming from a specific IP to 20 within two minutes. If the limit of 20 is reached, the IP will be blocked for the time being. This configuration can help avoid brute force attacks that try to guess a user's login credentials. If the rule is violated, the mod_qos module redirects the request to the path defined with the QS_ErrorPage directive. A similar error message will be traced in the Navajo log file:

2020 08 07 12:17:26.410 4.2.0.0rc0 Apache     104697.139706065422080 3-ERROR :  mod_qos(067): access denied, QS_ClientEventLimitCount rule: event=AU04_Limit, max=20, current=20, age=10, c=192.168.37.163, id=kLdc6UasBQA5MCSjDgAAAAAHZ9ocKi16 [APAC-0005]

You can extend the same configuration to also limit the number of newly created sessions by one IP, via the SC01 event. For more information on this event and all other available events, see Appendix A - nevisProxy Events.